With busy businesses to run, privacy can fall down the priority list for many CEOs.
Nigel Jones, ex head of legal at Google EMEA and co-founder of the award-winning Privacy Compliance Hub explains how and why CEOs should give privacy the attention it deserves.
Over the past few months, the Information Commissioner’s Office has fined Reed Online £40,000 for sending unsolicited marketing emails. Tuckers Solicitors received a £98,000 fine after a ransomware attack. And Seaview Brokers was fined £15,000 for making more than 4,000 unsolicited marketing phone calls.
Getting privacy wrong can lead to considerable fines, a damaged reputation and loss of customers. A third of all UK organisations lose customers after a data breach and 40% of customers say they’ll never return to a business after a security issue.
But CEOs also have a moral obligation to get privacy right. As Tim Cook, CEO of Apple pointed out on last year’s Data Privacy Day: “If we accept as normal and avoidable that everything in our lives can be aggregated and sold, then we lose so much more than data. We lose the freedom to be human.”
Faced with a long list of competing priorities, here’s how CEOs can play their part in creating a culture of continuous privacy compliance.
Have a programme
We get it. Privacy can seem complicated and many CEOs don’t take an active role in ensuring their company has an up-to-date, continuously improving privacy programme – or even a privacy programme at all.
But this isn’t a smart way to lead. Privacy is a growing concern for customers, employees, and regulators; improved privacy is already a competitive advantage in many marketplaces. Consumers – and investors – want to see adequate privacy strategies in place. Many will refuse to do business with companies that can’t demonstrate where they stand on using, protecting, and giving individuals rights in relation to personal data.
Have a crisis plan
Those that do not prioritise privacy increase the risk of data breaches. Employees who are less informed about why privacy is important and how it should be protected are more likely to make poor decisions about data usage – putting personal data and their organisation’s future at risk. A sobering 88% of data breaches are down to human error. So even forward-thinking companies that invest heavily on cyber-security can come unstuck due to human error or sophisticated ransomware attacks.
A crisis plan is crucial. Companies have a legal obligation and a financial incentive to report and respond to data breaches in a timely and open manner. If your organisation falls victim to a breach, a simple action plan could save your business millions of pounds in fines and lost revenues due to reputational damage, plus an enormous amount of aggravation.
Appoint a privacy lead
Privacy can fall into the cracks between legal, operations, marketing and even finance departments, resulting in inertia because nobody has been made responsible for developing and maintaining a privacy programme. Does your organisation have someone who ‘owns’ privacy? Organisations have ‘leads’ on sustainability because it’s important to organisational reputation, and it can deliver cost and other benefits. Privacy is no different. CEOs should delegate responsibility to one individual, ensure expectations are clear, and regularly check in on progress.
Then delegate accountability to everyone
But that doesn’t mean the rest of the organisation won’t be involved. The most successful businesses have a shared purpose or vision which unites everyone from the factory or shop floor to the boardroom. While one individual needs to be ultimately responsible for privacy (whether as a formal Data Protection Officer or otherwise), everyone needs to play their part in ensuring an organisation’s privacy programme is a success. Involving every employee has two main benefits; the first is better decision-making on data usage and security, the second is letting employees know that they work for an ethical organisation that strives to do the right thing.
Create a winning privacy culture
One of the mistakes organisations make is preparing a few policy documents on privacy which only the legal department sees, and which soon go out of date due to the changing nature of the business or the regulatory landscape. Treating privacy as a one off project is inadequate. Privacy is fast-moving – consumer attitudes and awareness about how their data are being used are changing, and regulators are showing their teeth.
Privacy needs to stay front of mind, and organisations need to constantly adapt their privacy stance to a changing landscape. That’s where a culture of continuous privacy compliance makes a difference. Having a winning privacy culture, where people understand and care about privacy, where individuals know what they have to do to respect privacy in their day jobs, and where the organisation stays on top of changing regulations helps prevent breaches, and the reputational damage caused by poor privacy practices.
Most CEOs do care deeply about privacy and understand the link between successful privacy practices and successful business. Often the only stumbling block is prioritisation, as business leaders fear long, costly, complicated projects that will remove resources from other tasks. But by making some simple changes, allocating responsibility to a key point person, and stressing the importance of privacy to the whole organisation, CEOs can put privacy at the heart of the organisation’s values and mission. It’s easier than you might think.
Nigel Jones is the co-founder of The Privacy Compliance Hub, a no-nonsense platform created by two ex-Google lawyers that makes compliance easy for everyone to understand and commit to. Take your free 10-minute GDPR health check here.